Auto-populate the SNOW MITRE ATT&CK Card

Barry11
Kilo Contributor

‎12-05-2022 07:10 AM

Hi, my organization recently switched on MITRE ATT&CK framework for Security Incident response (SIR). We have an integration with a SIEM (Devo) which generates SIR tickets in ServiceNow; the ticket in SNOW contains MITRE TTP data in a Description field (example attached).

Is there a way to auto-populate the SNOW MITRE ATT&CK Card with the MITRE TTP information from the SIEM?

 

Thank you

Preview file
1 KB
0 Helpfuls
  • 696 Views
1 REPLY 1

Brad W1
ServiceNow Employee
ServiceNow Employee

‎12-05-2022 08:26 AM

@Barry11 have a look at the SIEM auto-extraction rules here:

https://docs.servicenow.com/csh?topicname=auto-extract-technique-rules.html&version=latest

I am not sure how your integration with Devo is built, but hopefully its built using Import Tables.

 

- Brad W.

0 Helpfuls